The Internet has enabled interconnection of different computer networks all over the world. The ability to effectively protect and maintain stable computers and systems, however, presents a significant obstacle for component manufacturers, system designers, and network operators. This obstacle is made even more complicated due to the continually-evolving array of tactics exploited by malicious software authors. Malicious software authors create malicious software (‘malware’) to disrupt or stop computer operations, steal information, gain unauthorized access to system resources, and conduct other unauthorized abusive, hostile, intrusive, or annoying activities.
Malicious software authors often attempt to avoid detection by transforming or obfuscating malware, making it appear variable and, therefore, unrecognizable to security software such as anti-virus software. Undetected malware can infect computer systems and networks and often propagates to other computers and networks. For example, malware could send out spam or malicious emails from an infected network host, steal sensitive information from a business or individual associated with an infected network host, propagate to other computers, and/or assist with distributed denial of service attacks.
In one example obfuscation technique, web browsers (e.g., Internet Explorer, etc.) that automatically remove ASCII NUL bytes from HTML files can enable malware authors to hide malware from security software by scattering random NUL bytes through HTML files, such as a malicious scripts and web pages. This is referred to as the NUL HTML Exploit. In years past, McAfee, Inc. of Santa Clara, Calif., has provided security software targeting the NUL HTML Exploit in which a different view of an object is presented to a malware scanning engine. The different view shows a filtered HTML file with all ASCII NUL bytes removed. In addition, a map (or maps) shows where NUL bytes were removed and a count of the NUL bytes removed. By comparing the view and map, an irregular pattern of NULs could possibly be identified as malware. Additionally, the map could be evaluated to determine whether strings of interest identified in the filtered view had any NUL bytes filtered out. While this may be effective for a simple case of a NUL HTML Exploit, it is inadequate for accurately detecting more complicated forms of obfuscation in which multiple obfuscation types may be present. Security professionals need to develop innovative tools to combat such tactics that allow malicious software authors to exploit computers.